Feature/lab3

[Sarantsev]

Goal

This PR implements secure Git fundamentals for Lab 3, including SSH commit signing and automated pre-commit secret scanning. The goal is to establish cryptographic verification of commit authenticity and prevent accidental exposure of secrets in the repository.

Changes

• Configured SSH commit signing with ed25519 key

• Implemented pre-commit hook for automated secret scanning

• Added dual-scanner approach using TruffleHog and Gitleaks via Docker

• Created comprehensive documentation in labs/submission3.md

• Configured selective scanning to exclude lectures/ directory

Testing

Task 1: SSH Commit Signing

# Verified Git configuration
git config --get user.signingkey
git config --get commit.gpgsign
git config --get gpg.format

# Created signed commit
git commit -S -m "docs: add commit signing summary"

# Verified signature
git log --show-signature -1

Task 2: Pre-commit Secret Scanning
A test file test_aws_key.txt was created containing a fake AWS access key:\

aws_access_key_id = ...
aws_secret_access_key = ...
github_token = ...
stripe_test_key = ...

The file was staged and a commit attempted:

git add secrets.txt
git commit -m "test"

Artifacts & Screenshots

SSH Commit Configuration

commit.gpgsign=true
gpg.format=ssh
user.signingkey=/home/a/.ssh/id_ed25519.pub

Secret Detection Output Examples
Terminal output:

[pre-commit] scanning staged files for secrets…
[pre-commit] Files to scan: secrets.txt
[pre-commit] Non-lectures files: secrets.txt
[pre-commit] Lectures files: none
[pre-commit] TruffleHog scan on non-lectures files…
🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

2026-02-23T11:16:09Z    info-0  trufflehog      running source  {"source_manager_worker_id": "8T9hE", "with_units": true}
2026-02-23T11:16:10Z    info-0  trufflehog      finished scanning       {"chunks": 1, "bytes": 213, "verified_secrets": 0, "unverified_secrets": 0, "scan_duration": "953.897647ms", "trufflehog_version": "3.93.4", "verification_caching": {"Hits":0,"Misses":2,"HitsWasted":0,"AttemptsSaved":0,"VerificationTimeSpentMS":1343}}
[pre-commit] ✓ TruffleHog found no secrets in non-lectures files
[pre-commit] Gitleaks scan on staged files…
[pre-commit] Scanning secrets.txt with Gitleaks...
Gitleaks found secrets in secrets.txt:
Finding:     stripe_test_key = ...
Secret:      ...
RuleID:      stripe-access-token
Entropy:     4.538910
File:        secrets.txt
Line:        4
Fingerprint: secrets.txt:stripe-access-token:4

11:16AM INF scanned ~213 bytes (213 bytes) in 91.4ms
11:16AM WRN leaks found: 1
---
✖ Secrets found in non-excluded file: secrets.txt

[pre-commit] === SCAN SUMMARY ===
TruffleHog found secrets in non-lectures files: false
Gitleaks found secrets in non-lectures files: true
Gitleaks found secrets in lectures files: false

✖ COMMIT BLOCKED: Secrets detected in non-excluded files.
Fix or unstage the offending files and try again.

Successful commit

[pre-commit] scanning staged files for secrets…
[pre-commit] Files to scan: labs/submission3.md
[pre-commit] Non-lectures files: labs/submission3.md
[pre-commit] Lectures files: none
[pre-commit] TruffleHog scan on non-lectures files…
🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

2026-02-23T11:20:36Z    info-0  trufflehog      running source  {"source_manager_worker_id": "JBEq3", "with_units": true}
2026-02-23T11:20:36Z    info-0  trufflehog      finished scanning       {"chunks": 0, "bytes": 0, "verified_secrets": 0, "unverified_secrets": 0, "scan_duration": "2.605609ms", "trufflehog_version": "3.93.4", "verification_caching": {"Hits":0,"Misses":0,"HitsWasted":0,"AttemptsSaved":0,"VerificationTimeSpentMS":0}}
[pre-commit] ✓ TruffleHog found no secrets in non-lectures files
[pre-commit] Gitleaks scan on staged files…
[pre-commit] Scanning labs/submission3.md with Gitleaks...
[pre-commit] No secrets found in labs/submission3.md

[pre-commit] === SCAN SUMMARY ===
TruffleHog found secrets in non-lectures files: false
Gitleaks found secrets in non-lectures files: false
Gitleaks found secrets in lectures files: false

✓ No secrets detected in non-excluded files; proceeding with commit.
[feature/lab3 abcd9e8] docs: complete lab3 submission
 1 file changed, 249 deletions(-)
 rewrite labs/submission3.md (100%)

Checklist

• PR has a clear, descriptive title
• Documentation is updated
• No secrets or sensitive data
• Task 1 done — SSH commit signing setup
• Task 2 done — Pre-commit secrets scanning setup